CIS 7000: Theory and Practice of Succinct Zero Knowledge Proofs

Name: Theory and Practice of Succinct Zero Knowledge Proofs
Author: Pratyush Mishra

Basics

Instructor: Pratyush Mishra
Time: Tuesdays and Thursdays, 10:15AM-11:45AM
Location: Towne 311
Office hours: Thursdays 1-2PM, Towne 219B
Useful links: Ed Discussions; Canvas

Course Description

Zero knowledge proofs are a core object of study in cryptography that enable a prover to convince a verifier of the truth of a claim in an efficient and private manner. Despite their attractive properties, for most of their history zero knowledge proofs have remained of primarily theoretical interest. However, this has changed in the last decade with the development and deployment of very efficient zero knowledge proof systems called zkSNARKs. In this course, we will cover the mathematical foundations, implementation aspects, and applications of zkSNARKs.

Prerequisites

This course requires a basic background in discrete mathematics (at the level of CIS 1600), and a basic background in algorithms and complexity (at the level of CIS 3200).

Grading

Your grade in the course is determined by the following components:

Assignments (15%)
Regular attendance and participation (15%)
Presenting a paper (25%)
Completing a final project (45%)
- 10% for project proposal (due on 10/10/23)
- 15% for presentation
- 15% for final report

Schedule

For classes marked as Lecture, the assigned readings are optional.
For classes marked as Discussion, everyone is expected to read the assigned readings are (with the exception of “presenter-only” readings, which are mandatory only for the presenter. Feel free to read them if you want to, though!)

Date	Topic	Resources/Readings
08/29/2023 Lecture	Introduction and background Logistics and course overview Definition of cryptographic proof systems	Interactive proofs: Trading group theory for randomness. Babai. 1985 The knowledge complexity of interactive proof systems. Goldwasser, Micali, Rackoff. 1989
08/31/2023 Lecture	Interactive Oracle Proofs Definition of zkSNARKs Oracle Commitments [Slides]	Compiler from IOP to argument system: Lecture by Dan Boneh Talk by Alessandro Chiesa Talk by Pratyush
09/05/23 Lecture	Polynomial IOPs IOPs + Oracle Commitments -> Interactive Arguments PIOP for Polynomial Equality PIOP for ZeroCheck [Slides]	Polynomial Commitments. Kate, Zaverucha, Goldberg. 2010 Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS. Chiesa, Hu, Maller, Mishra, Vesely, Ward. 2019 Marlin explainer by Inbasekar
09/07/23 Lecture	Marlin PIOP I PIOP for rowcheck Linear verifier PIOP for lincheck [Slides]	Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS. Chiesa, Hu, Maller, Mishra, Vesely, Ward. 2019 Marlin explainer by Inbasekar
09/12/23 Lecture	Marlin PIOP II Holographic (Preprocessing) IOPs and SNARKs Complete Marlin PIOP KZG Polynomial Commitment [Slides]	Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS. Chiesa, Hu, Maller, Mishra, Vesely, Ward. 2019 Marlin explainer by Inbasekar
09/14/23 Lab	In-class lab for Marlin	Python notebook Python notebook (solved)
09/19/23 Lecture	Multilinear sumcheck + Spartan PIOP Multilinear extensions Multilinear sumcheck protocol Spartan PIOP [Slides]	Schwartz-Zippel lemma Sumcheck protocol: Algebraic methods for interactive proof systems. Lund, Fortnow, Karloff, Nisan. 1992 Spartan: Efficient and general-purpose zkSNARKs without trusted setup. Setty. 2020
09/21/23 Lecture	PC Schemes from Inner-product arguments (IPAs) Hardness of Discrete Logarithms Square-root sized IPA PC schemes from IPA [Slides]	Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting. Bootle, Cerulli, Chaidos, Groth, Petit. 2016 Bulletproofs: Short Proofs for Confidential Transactions and More. Bünz, Bootle, Boneh, Poelstra, Wuille, Maxwell. 2017
09/26/23 Lecture Lab	KZG PC Scheme Bilinear/pairing-friendly groups KZG PC Scheme In-class Lab for KZG PC Scheme [Slides]	Constant-Size Commitments to Polynomials and Their Applications. Kate, Zaverucha, Goldberg. 2010 Python notebook Python notebook (solved)
09/28/23 Lecture Discussion	Lookup protocols Discussion Lookups based on log-derivatives	Plookup. Gabizon, Williamson. 2020 Presenter only: Multivariate lookups based on logarithmic derivatives. Habock. 2022
10/03/2023 Lecture	Linear PCPs and IPs Preprocessing zkSNARKs Linear PCPs and Linear IPs Linear Encodings 2-round LIPs + Linear Encodings -> Preprocessing zkSNARKs Construction of linear encoding from bilinear groups (KoE and AGM) [Slides]	Succinct Non-Interactive Arguments via Linear Interactive Proofs. Bitansky, Chiesa, Ishai, Ostrovsky, Paneth. 2013 Efficient Arguments without Short PCPs. Ishai, Kushilevitz, Ostrovsky. 2007 Chapter 17 of Justin Thaler's manuscript
10/05/2023 Lab	In-class lab for Hadamard LPCP + AGM-based linear-only encoding	Python notebook will be provided
10/10/23 Lecture Discussion Project	Incrementally-Verifiable Computation and Proof-Carrying Data Short lecture: Proving incremental computations via IVC, construction from cycles of elliptic curves Discussion PCD without succinct arguments Project Project propsal due!	Scalable Zero Knowledge via Cycles of Elliptic Curves. Ben-Sasson, Chiesa, Tromer, Virza. 2014 Presenter only: Proof-Carrying Data without Succinct Arguments. Bünz, Chiesa, Lin, Mishra, Spooner. 2021
10/12/23	No class due to fall break
10/17/23	No class due to USENIX deadline
10/19/23 Lecture Discussion	Programming zkSNARKs Short lecture: Overview of zkSNARK programming paradigms Discussion CirC	CirC: Compiler infrastructure for proof systems, software verification, and more. Ozdemir, Brown, Wahby. 2020
10/24/23 Lecture Discussion	Formal verification for zkSNARKs Short lecture: Overview of formal verification for zkSNARKs Discussion Automated Detection of Underconstrained Circuits for ZKPs	Formal Verification of ZK Constraint Systems. Tan. 2022 Presenter only: Automated Detection of Underconstrained Circuits for Zero-Knowledge Proofs. Pailoor et al. 2023
10/26/23 Lecture Discussion	SNARKs for uniform computations Short lecture: Overview of uniform computations, and existing paradigms for these. Discussion TinyRAM	Sections 1 and 2 of SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge. Ben-Sasson, Chiesa, Genkin, Tromer, Virza. 2013
10/31/23 Lecture Discussion	Systems aspects of zkSNARKs Short lecture: Overview of systems problems in zkSNARKs Distributed proving? GPU proving? Delegated proving? Discussion DIZK	DIZK: A Distributed Zero Knowledge Proof System. Wu, Zheng, Chiesa, Popa, Stoica. 2018
11/02/23 Lecture Discussion	Privacy-preserving payments Short lecture: Introduction to payments on blockchains Discussion Zerocash	Zerocash: Decentralized Anonymous Payments from Bitcoin. Ben-Sasson, Chiesa, Garman, Green, Miers, Tromer, Virza. 2014 Optional: Full version of Zerocash paper
11/07/23 Lecture Discussion	Privacy-preserving smart contracts Short lecture: Introduction to smart contracts Discussion Zexe	Sections 1 and 2 of Zexe: Enabling Decentralized Private Computation. Bowe, Chiesa, Green, Miers, Mishra, Wu. 2020
11/09/23 Lecture Discussion	Succinct Blockchains Short lecture: What is a succinct blockchain? Discussion Incrementally-Verifiable Ledger Systems	Reducing Participation Costs via Incremental Verification for Ledger Systems. Chen, Chiesa, Dauterman, Ward. 2020
11/14/23 Lecture Discussion	Verifiable credentials Short lecture: Introduction to anonymous credentials and overview of Cinderella Discussion zk-creds	Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation. Delignat-Lavaud, Fournet, Kohlweiss, Parno. 2016 Presenter only: zk-creds: Flexible Anonymous Credentials from zkSNARKs and Existing Identity Infrastructure. Rosenberg, White, Garman, Miers. 2023
11/16/23 Lecture Discussion	Collaborative zkSNARKs Short lecture: Introduction to multi-party computation Discussion Collaborative zkSNARKs	Experimenting with Collaborative zk-SNARKs: Zero-Knowledge Proofs for Distributed Secrets. Ozdemir, Boneh. 2022
11/21/23 Lecture Discussion	Rollups Short lecture: What is a rollup? Discussion Arbitrum	An Incomplete Guide to Rollups. Buterin. 2021 Arbitrum: Scalable, private smart contracts. Kalodner, Goldfeder, Chen, Weinberg, Felten. 2018
11/23/23	No class due to Thanksgiving
11/28/23 Lecture Discussion	zkSNARKs for Authenticated Edits Short lecture: zkSNARKs for controlled edits Discussion PhotoProof	PhotoProof: Cryptographic Image Authentication for Any Set of Permissible Transformations. Naveh, Tromer. 2016 Fighting AI-generated Audio with Attested Microphones and ZK-SNARKs: the Attested Audio Experiment. Kang. 2023 Using ZK Proofs to Fight Disinformation. Datta, Boneh. 2023
11/30/23	Societal Aspects of Cryptography Informal discussion, no presentation	First half of Caught in Between Theory and Practice. Bellare. 2014 The Moral Character of Cryptographic Work. Rogaway. 2015
12/05/23 Project	Final Project Presentations
12/07/23 Project	Final Project Presentations
12/15/23 Project	Final Project Report Due

Overview of course grade components

Reading assignments

Each class with a Discussion component will be accompanied by an assignment consisting of 1-2 short-answer questions about the assigned reading(s). These assignments will be posted on Canvas, and will be due before class.

Note: you are not required to read papers marked as “Presenter only” in the schedule below.

Attendance and participation

You are expected to attend lectures and participate in discussions, particularly for classes marked Discussion

Paper presentation

You will lead a 40-45 minute long discussion on a paper of your choice (from one of the classes marked Discussion). There will be a sign-up sheet on Ed for choosing papers. The discussion should include a brief presentation of the paper, interspersed with questions and discussion. An example split would be 25 minutes of presentation + 10 minutes of discussion + 5 minutes of feedback.

You can choose whatever presentation tools you see fit (chalkboard, slides, etc.). No matter the medium, you should aim for a presentation that:

motivates the problem tackled by the paper (most likely in relation to the material I introduce before your presentation), and
describes at a high-level the main protocol, idea, or system introduced in the paper.

See here for strategies on how to prepare for this presentation.

Final project

A core component of your grade will be determined by the final project. A project can be either a research project or a literature survey:

Research project: You are expected to form teams of size 1-2 people and undertake independent research in the broader area of zero-knowledge proofs. I encourage using Ed to find project partners. I will post a list of potential project ideas to Ed.
The ideal goal of this type of project is to make preliminary progress towards a result that can eventually be published at a major cryptography (CRYPTO, EUROCRYPT, TCC) or security (IEEE S&P, USENIX Security, ACM CCS) conference.
Note: students are encouraged to use ongoing research projects, but in this case they must clearly delineate work that had been done prior to the start of the course and work that was done during the course.
Literature survey: This is an individual project: you can pick any topic in the area of zkSNARKs (whether covered in the class or not), and write a survey of the existing literature on this topic. Your survey should pick a few relevant papers, summarize them in some depth, and provide a comparison between the chosen papers.

Both kinds of projects consist of the following deliverables:

Project proposal (due on 10/10/23): A 2-3-page proposal describing the project, and containing the following details:
- Teammates (if any)
- Proposed research problem/survey topic
- Initial study of prior work, with references that you plan to use. This is due on October 10th.
- Initial plan of attack (for research projects), or outline of the survey (for literature surveys)
Project presentation (due on either 12/05/23 or 12/07/23): The presentation should be high-level, and accessible to the entire class. It should contain the following information.
- Research project:
  - Problem introduction, and motivation (with a clear threat model).
  - Brief description of why existing techniques are insufficient.
  - High-level explanation of your contribution, and what you plan to do before the final report deadline.
- Literature survey:
  - Problem introduction, and motivation (with a clear threat model).
  - High-level overview of the important papers in the chosen problem space.
  - Explanation of the core contribution of 1 important paper, and how it relates to the other papers in the space.
Regarding the duration of the presentation, a 1-person group should prepare a 9-10 minute presentation, while a 2-person group should prepare a 12-minute presentation. Expect 3-4 minutes of questions per group.
Project report (due on either 12/15/23): The final report should be a single-column paper no longer than 8-10 pages (excluding references). It should contain the following information.
- Research project:
  - Teammates, if any.
  - Problem introduction, and motivation (with a clear threat model).
  - Comprehensive related work
  - Description of contributions (protocol design, security proof sketch, system design, application design, etc.)
  - Brief description of implementation (if appropriate), and experiment design (and results, if any).
- Literature survey:
  - Teammates, if any.
  - Problem introduction, and motivation (with a clear threat model).
  - High-level overview of the important papers in the chosen problem space
  - Detailed summary and comparison of the chosen papers.
  - Key takeaways, including open problems and future directions.